THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3...
Transcript of THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3...
![Page 1: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/1.jpg)
THE DUKES 7 YEARS OF RUSSIAN
CYBERESPIONAGE F-Secure Whitepaper
September 2015
![Page 2: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/2.jpg)
CONTENTS
EXECUTIVE SUMMARY ........................................................................... 3
THE STORY OF THE DUKES ................................................................... 4
2008: Chechnya ............................................................................................................. 4
Etymology: a note on names ....................................................................................... 5
2009: First known campaigns against the West ......................................................... 6
2010: The emergence of CosmicDuke in the Caucasus ............................................ 7
2011: John Kasai of Klagenfurt, Austria ........................................................................ 8
2011: Continuing expansion of the Dukes arsenal ...................................................... 8
2012: Hiding in the shadows ....................................................................................... 10
2013: MiniDuke flies too close to the sun.................................................................. 10
2013: The curious case of OnionDuke ........................................................................ 12
2013: The Dukes and Ukraine....................................................................................... 13
2013: CosmicDuke’s war on drugs ............................................................................... 13
2014: MiniDuke’s rise from the ashes .........................................................................14
2014: CosmicDuke’s moment of fame and the scramble that ensued ...................14
2014: CozyDuke and monkey videos .......................................................................... 15
2014: OnionDuke gets caught using a malicious Tor node .....................................16
2015: The Dukes up the ante ....................................................................................... 17
2015: CloudDuke ..........................................................................................................20
2015: Continuing surgical strikes with CosmicDuke ................................................. 21
TOOLS AND TECHNIQUES OF THE DUKES ........................................ 22
PINCHDUKE ................................................................................................................. 22
GEMINIDUKE ............................................................................................................... 23
COSMICDUKE .............................................................................................................. 25
MINIDUKE .....................................................................................................................27
COZYDUKE ................................................................................................................... 28
ONIONDUKE................................................................................................................ 29
SEADUKE ...................................................................................................................... 30
HAMMERDUKE ............................................................................................................. 31
CLOUDDUKE ................................................................................................................ 32
INFECTION VECTORS .............................................................................33
DECOYS ....................................................................................................33
EXPLOITATION OF VULNERABILITIES.................................................. 34
ATTRIBUTION AND STATE-SPONSORSHIP ......................................... 34
BIBLIOGRAPHY ........................................................................................37
APPENDIX I: DATA LISTINGS.................................................................. 38
About F-secure ....................................................................................... 43
This whitepaper explores the tools - such as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, etc- of the Dukes, a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making.
![Page 3: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/3.jpg)
F-Secure Whitepaper, September 2015
3
EXECUTIVE SUMMARY
The Dukes are a well-resourced, highly dedicated and organized cyberespionage group
that we believe has been working for the Russian Federation since at least 2008 to collect
intelligence in support of foreign and security policy decision-making.
The Dukes primarily target Western governments and related organizations, such as government
ministries and agencies, political think tanks, and governmental subcontractors. Their targets have
also included the governments of members of the Commonwealth of Independent States; Asian,
African, and Middle Eastern governments; organizations associated with Chechen extremism; and
Russian speakers engaged in the illicit trade of controlled substances and drugs.
The Dukes are known to employ a vast arsenal of malware toolsets, which we identify as MiniDuke,
CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke,
and GeminiDuke. In recent years, the Dukes have engaged in apparently biannual large-scale
spear-phishing campaigns against hundreds or even thousands of recipients associated with
governmental institutions and affiliated organizations.
These campaigns utilize a smash-and-grab approach involving a fast but noisy break- in followed
by the rapid collection and exfiltration of as much data as possible. If the compromised target
is discovered to be of value, the Dukes will quickly switch the toolset used and move to using
stealthier tactics focused on persistent compromise and long-term intelligence gathering.
In addition to these large-scale campaigns, the Dukes continuously and concurrently engage
in smaller, much more targeted campaigns, utilizing
different toolsets. These targeted campaigns have been
going on for at least 7 years. The targets and timing of
these campaigns appear to align with the known foreign
and security policy interests of the Russian Federation at
those times.
The Dukes rapidly react to research being published
about their toolsets and operations. However, the
group (or their sponsors) value their operations so
highly that though they will attempt to modify their
tools to evade detection and regain stealth, they will not cease operations to do so, but will instead
incrementally modify their tools while continuing apparently as previously planned.
In some of the most extreme cases, the Dukes have been known to engage in campaigns with
unaltered versions of tools that only days earlier have been brought to the public’s attention by
security companies and actively mentioned in the media. In doing so, the Dukes show unusual
confidence in their ability to continue successfully compromising their targets even when their
tools have been publicly exposed, as well as in their ability to operate with impunity.
the Dukes show unusual confidence in their ability to continue successfully compromising their targets [...], as well as in their ability to operate with impunity.
![Page 4: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/4.jpg)
F-Secure Whitepaper, September 2015
4
THE STORY OF THE DUKES
The story of the Dukes, as it is currently known, begins with a malware toolset that we call
PinchDuke. This toolset consists of multiple loaders and an information-stealer trojan.
Importantly, PinchDuke trojan samples always contain a notable text string, which we
believe is used as a campaign identifier by the Dukes group to distinguish between multiple
attack campaigns that are run in parallel. These campaign identifiers, which frequently
specify both the date and target of the campaign, provide us with a tantalizing view into the
early days of the Dukes.
2008: Chechnya
The earliest activity we have been able to definitively attribute to the Dukes are two PinchDuke
campaigns from November 2008. These campaigns use PinchDuke samples that were, according
to their compilation timestamps, created on the 5th and 12th of November 2008. The campaign
identifiers found in these two samples are respectively, “alkavkaz.com20081105” and “cihaderi.
net20081112”.
The first campaign identifier, found in the sample compiled on the 5th, references alkavkaz.com,
a domain associated with a Turkish website proclaiming to be the “Chechan [sic] Informational
Center” (image 1, page 5). The second campaign identifier, from the sample compiled on the
12th, references cihaderi.net, another Turkish website that claims to provide “news from the jihad
world” and which dedicates a section of its site to Chechnya.
Due to a lack of other PinchDuke samples from 2008 or earlier, we are unable to estimate when
the Duke operation originally began. Based on our technical analysis of the known PinchDuke
samples from 2008 however, we believe PinchDuke to have been under development by the
summer of 2008.
In fact, we believe that by the autumn of 2008, the Dukes were already developing not one but at
least two distinct malware toolsets. This assertion is based on the oldest currently known sample
of another Duke-related toolset, GeminiDuke, which was compiled on the 26th of January 2009.
This sample, like the early PinchDuke samples, appears to already be a “fully-grown” sample,
which is why we believe GeminiDuke was under development by the autumn of 2008.
That the Dukes were already developing and operating at least two distinct malware toolsets by
the second half of 2008 suggests to us that either the size of their cyberespionage operation was
already large enough to warrant such an arsenal of tools, or that they expected their operation
to grow significantly enough in the foreseeable future to warrant the development of such an
arsenal. We examine each of the Duke toolsets in greater detail later in the Tools and Techniques
section (page 22).
![Page 5: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/5.jpg)
F-Secure Whitepaper, September 2015
5
Etymology: a note on names
The origins of the Duke toolset names can be traced back to when researchers at Kaspersky Labs
coined the term “MiniDuke” to identify the first Duke-related malware they found. As explained
in their whitepaper[7], the researchers observed the surprisingly small MiniDuke backdoor being
spread via the same exploit that was being used by a malware that they had already named
ItaDuke; the “Duke” part of this malware’s name had in turn come about because it reminded the
researchers of the notable Duqu threat. Despite the shared history of the name itself however, it is
important to note that there is no reason to believe that the Duke toolsets themselves are in any
way related to the ItaDuke malware, or to Duqu for that matter.
As researchers continued discovering new toolsets that were created and used by the same
group that had been operating MiniDuke, the new toolsets were also given “Duke”-derived
names, and thus the threat actor operating the toolsets started to be commonly referred to
as “the Dukes”. The only other publicly used name for the threat actor that we are aware of is
“APT29”[22].
Some exceptions to this naming convention do exist, and in the case of specific Duke toolsets,
other commonly used names are listed in the Tools and Techniques section (page 22).
CloudDukeHammerDuke
SeaDuke
OnionDukeCozyDuke
CosmicDuke
GeminiDukePinchDuke
MiniDuke
ItaDuke
Duqu
“duke”
“duke”
The Dukes
![Page 6: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/6.jpg)
F-Secure Whitepaper, September 2015
6
2009: First known campaigns against the West
Based on the campaign identifiers found in PinchDuke samples discovered from 2009, the targets
of the Dukes group during that year included organizations such as the Ministry of Defense of
Georgia and the ministries of foreign affairs of Turkey and Uganda. Campaign identifiers from
2009 also reveal that by that time, the Dukes were already actively interested in political matters
related to the United States (US) and the North Atlantic Treaty Organization (NATO), as they ran
campaigns targeting (among other organizations) a US-based foreign policy think tank, another
set of campaigns related to a NATO exercise held in Europe, and a third set apparently targeting
what was then known as the Georgian “Information Centre on NATO”.
Of these campaigns, two clusters in particular stand out. The first is a set of campaigns from
the 16th and 17th of April, 2009, that targeted a US-based foreign policy think tank, as well as
government institutions in Poland and the Czech Republic (image 1, below). These campaigns
utilized specially-crafted malicious Microsoft Word documents and PDF files, which were sent as
e-mail attachments to various personnel in an attempt to infiltrate the targeted organizations.
We believe this cluster of campaigns had a joint goal of gathering intelligence on the sentiments
of the targeted 5 countries with respect to the plans being discussed at the time for the US to
locate their “European Interceptor Site” missile defense base in Poland, with a related radar station
that was intended to be located in the Czech Republic. Regarding the timing of these campaigns,
it is curious to note that they began only 11 days after President Barack Obama gave a speech on
the 5th of April declaring his intention to proceed with the deployment of these missile defenses [1].
The second notable cluster comprises of two campaigns that were possibly aimed at gathering
information on Georgia-NATO relations. The first of these runs used the campaign identifier
“natoinfo_ge”, an apparent reference to the www.natoinfo.ge website belonging to a Georgian
political body that has since been renamed “Information Centre on NATO and EU”. Although
the campaign identifier itself doesn’t contain a date, we believe the campaign to have originated
around the 7th of June 2009, which was when the PinchDuke sample in question was compiled.
This belief is based on the observation that in all of the other PinchDuke samples we have
analyzed, the date of the campaign identifier has been within a day of the compilation date. The
second campaign identifier, which we suspect may be related, is “mod_ge_2009_07_03” from
a month later and apparently targeting the Ministry of Defense of Georgia.
IMAGE 1: EARLY ACTIVITY FROM 2008 & 2009. Left - Screenshot of alkavkaz.com [2] (circa 2008, preserved by the Internet Archive Wayback Machine), which was referenced in 2008 PinchDuke sample. Right - Decoy document from a 2009 PinchDuke campaign targeting Poland, the Czech Republic and a US think tank. The contents appear to have been copied from a BBC news article [3].
![Page 7: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/7.jpg)
F-Secure Whitepaper, September 2015
7
2010: The emergence of CosmicDuke in the Caucasus
The spring of 2010 saw continued PinchDuke campaigns against Turkey and Georgia, but also
numerous campaigns against other members of the Commonwealth of Independent States
such as Kazakhstan, Kyrgyzstan, Azerbaijan and Uzbekistan. Of these, the campaign with the
identifier “kaz_2010_07_30”, which possibly targeted Kazakhstan, is of note because it is the last
PinchDuke campaign we have observed. We believe that during the first half of 2010, the Dukes
slowly migrated from PinchDuke and started using a new infostealer malware toolset that we call
CosmicDuke.
The first known sample of the CosmicDuke toolset was compiled on the 16th of January 2010. Back
then, CosmicDuke still lacked most of the credential-stealing functionality found in later samples.
We believe that during the spring of 2010, the credential and file stealing capabilities of PinchDuke
were slowly ported to CosmicDuke, effectively making PinchDuke obsolete.
During this period of transition, CosmicDuke would often embed PinchDuke so that, upon
execution, CosmicDuke would write to disk and execute PinchDuke. Both PinchDuke and
CosmicDuke would then operate independently on the same compromised host, including
performing separate information gathering, data exfiltration and communication with a
command and control (C&C) server - although both malware would often use the same C&C
server. We believe the purpose of this parallel use was to ‘fieldtest’ the new CosmicDuke tool,
while at the same time ensuring operational success with the tried-and-tested PinchDuke.
During this period of CosmicDuke testing and development, the Duke authors also started
experimenting with the use of privilege escalation vulnerabilities. Specifically, on the 19th of
January 2010 security researcher Tavis Ormandy disclosed a local privilege escalation vulnerability
(CVE-2010-0232) affecting Microsoft Windows. As part of the disclosure, Ormandy also included
the source code for a proof-of- concept exploit for the vulnerability [4]. Just 7 days later, on the
26th of January, a component for CosmicDuke was compiled that exploited the vulnerability and
allowed the tool to operate with higher privileges.
ONE LOADER TO LOAD THEM ALL (ALMOST)
In addition to all the other components being produced by the Dukes group, in 2010 they were also actively developing and testing a new loader - a component that wraps the core malware code and provides an additional layer of obfuscation.
The first sample of this loader was compiled on the 26th of July 2010, making it a direct predecessor of what has since become known as the “MiniDuke loader”, as later versions were extensively used by both MiniDuke and CosmicDuke.
Some hints about the history of the “MiniDuke loader” were noted in the CosmicDuke whitepaper
we published [5] in 2014, where we observed that the loader appeared to have been in use with CosmicDuke before it was used with MiniDuke. In fact, we now know that before being used with either, the “MiniDuke loader” was used to load PinchDuke. The first known sample of the loader was used during the summer of 2010, while the most recent samples were seen during the spring of 2015.
This neatly ties together many of the tools used by the Dukes group, as versions of this one loader have been used to load malware from three different Dukes-related toolsets – CosmicDuke, PinchDuke, and MiniDuke – over the course of five years.
![Page 8: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/8.jpg)
F-Secure Whitepaper, September 2015
8
2011: John Kasai of Klagenfurt, Austria
During 2011, the Dukes appear to have significantly expanded both their arsenal of malware
toolsets and their C&C infrastructure. While the Dukes employed both hacked websites and
purposely rented servers for their C&C infrastructure, the group rarely registered their own
domain names, preferring instead to connect to their self- operated servers via IP addresses.
The beginning of 2011 however saw a significant break from that routine, when a large grouping
of domain names was registered by the Dukes in two batches; the first batch was registered on
the 29th of January and the second on the 13th of February. All the domains in both batches were
initially registered with the same alias: “John Kasai of Klagenfurt, Austria” (image 2, above). These
domains were used by the Dukes in campaigns involving many of their different malware toolsets
all the way until 2014. Like the “MiniDuke loader”, these “John Kasai” domains also provide a
common thread tying together much of the tools and infrastructure of the Dukes.
IMAGE 2: COMPARING WHOIS REGISTRATION DETAILS. Left - Original whois registration details for natureinhome.com, one of the Duke C&C server domains registered on the 29th of January, 2011 to “John Kasai”. Right - Details for the domain were later changed, providing a small glimpse of the Dukes’ sense of humor.
2011: Continuing expansion of the Dukes arsenal
By 2011, the Dukes had already developed at least 3 distinct malware toolsets, including a plethora
of supporting components such as loaders and persistence modules. In fact, as a sign of their
arsenal’s breadth, they had already decided to retire one of these malware toolsets as obsolete
after developing a replacement for it, seemingly from scratch.
The Dukes continued the expansion of their arsenal in 2011 with the addition of two more
toolsets: MiniDuke and CozyDuke. While all of the earlier toolsets – GeminiDuke, PinchDuke, and
CosmicDuke – were designed around a core infostealer component, MiniDuke is centered on a
simplistic backdoor component whose purpose is to enable the remote execution of commands
on the compromised system. The first observed samples of the MiniDuke backdoor component
are from May 2011. This backdoor component however is technically very closely related to
GeminiDuke, to the extent that we believe them to share parts of their source code. The origins
of MiniDuke can thus be traced back to the origins of GeminiDuke, of which the earliest observed
sample was compiled in January of 2009.
![Page 9: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/9.jpg)
F-Secure Whitepaper, September 2015
9
Unlike the simplistic MiniDuke toolset, CozyDuke is a highly versatile, modular, malware
“platform” whose functionality lies not in a single core component but in an array of modules
that it may be instructed to download from its C&C server. These modules are used to selectively
provide CozyDuke with just the functionality deemed necessary for the mission at hand.
CozyDuke’s modular platform approach is a clear break from the designs of the previous Duke
toolsets.
The stylistic differences between CozyDuke and its older siblings are further exemplified by the
way it was coded. All of the 4 previously mentioned toolsets were written in a minimalistic style
commonly seen with malware; MiniDuke even goes as far as having many components written
in Assembly language. CozyDuke however represents the complete opposite. Instead of being
written in Assembly or C, it was written in C++ , which provides added layers of abstraction for the
developer’s perusal, at the cost of added complexity.
Contrary to what might be expected from malware, early CozyDuke versions also lacked any
attempt at obfuscating or hiding their true nature. In fact, they were extremely open and verbose
about their functionality - for example, early samples contained a plethora of logging messages in
unencrypted form. In comparison, even the earliest known GeminiDuke samples encrypted any
strings that might have given away the malware’s true nature.
Finally, early CozyDuke versions also featured other elements that one would associate more with
a traditional software development project than with malware. For instance, the earliest known
CozyDuke version utilized a feature of the Microsoft Visual C++ compiler known as run-time
error checking. This feature added automatic error checking to critical parts of the program’s
execution at the cost, from a malware perspective, of providing additional hints that make the
malware’s functionality easier for reverse engineers to understand.
Based on these and other similar stylistic differences observed between CozyDuke and its older
siblings, we speculate that while the older Duke families appear to be the work of someone with
a background in malware writing (or at the least in hacking), CozyDuke’s author or authors more
likely came from a software development background.
![Page 10: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/10.jpg)
F-Secure Whitepaper, September 2015
10
2012: Hiding in the shadows
We still know surprisingly few specifics about the Dukes group’s activities during 2012. Based
on samples of Duke malware from 2012, the Dukes do appear to have continued actively using
and developing all of their tools. Of these, CosmicDuke and MiniDuke appear to have been in
more active use, while receiving only minor updates. GeminiDuke and CozyDuke on the other
hand appear to have been less used in actual operations, but did undergo much more significant
development.
IMAGE 3: MINIDUKE DECOY. One of the Ukraine-themed decoy documents used during a MiniDuke campaign in February 2013.
2013: MiniDuke flies too close to the sun
On the 12th of February 2013, FireEye published a blogpost[6] alerting readers to a combination
of new Adobe Reader 0-day vulnerabilities, CVE-2013-0640 and CVE-2013-0641, that were being
actively exploited in the wild. 8 days after FireEye’s initial alert, Kaspersky spotted the same exploit
being used to spread an entirely different malware family from the one mentioned in the original
report. On 27th February, Kaspersky [7] and CrySyS[8] Lab published research on this previously
unidentified malware family, dubbing it MiniDuke.
As we now know, by February 2013 the Dukes group had been operating MiniDuke and other
toolsets for at least 4 and a half years. Their malware had not stayed undetected for those 4 and a
half years. In fact, in 2009 a PinchDuke sample had been included in the malware set used by the
AV-Test security product testing organization to perform anti-virus product comparison reviews.
Until 2013 however, earlier Duke toolsets had not been put in a proper context. That finally started
to change in 2013.
![Page 11: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/11.jpg)
F-Secure Whitepaper, September 2015
11
The MiniDuke samples that were spread using these exploits were compiled on the 20th of
February, after the exploit was already publicly known. One might argue that since this took
place after the exploits were publicly mentioned, the Dukes simply copied them. We however do
not believe so. As mentioned by Kaspersky, even though the exploits used for these MiniDuke
campaigns were near-identical to those described by FireEye, there were nevertheless small
differences. Of these, the crucial one is the presence of PDB strings in the MiniDuke exploits.
These strings, which are generated by the compiler when using specific compilation settings,
means that the components of the exploits used with MiniDuke had to have been compiled
independently from those described by FireEye.
We do not know whether the Dukes compiled the components themselves or whether someone
else compiled the components before handing them to the group. This does however still rule
out the possibility that the Dukes simply obtained copies of the exploit binaries described by
FireEye and repurposed them.
In our opinion, this insistence on using exploits that are already under heightened scrutiny
suggests the existence of at least one of three circumstances. Firstly, the Dukes may have been
confident enough in their own abilities (and in the slowness of their opponents to react to new
threats) that they did not care if their targets may already be on the lookout for anyone exploiting
these vulnerabilities. Secondly, the value the Dukes intended to gain from these MiniDuke
campaigns may have been so great that they deemed it worth the risk of getting noticed. Or
thirdly, the Dukes may have invested so much into these campaigns that by the time FireEye
published their alert, the Dukes felt they could not afford to halt the campaigns.
We believe all three circumstances to have coexisted at least to some extent. As will become
evident in this report, this was not a one-off case but a recurring theme with the Dukes, in that
they would rather continue with their operations as planned than retreat from operating under
the spotlight.
As originally detailed in Kaspersky’s whitepaper, the MiniDuke campaigns from February 2013
employed spear-phishing emails with malicious PDF file attachments. These PDFs would attempt
to silently infect the recipient with MiniDuke, while distracting them by displaying a decoy
document. The headings of these documents included “Ukraine’s NATO Membership Action Plan
(MAP) Debates”, “The Informal Asia-Europe Meeting (ASEM) Seminar on Human Rights”, and
“Ukraine’s Search for a Regional Foreign Policy” (image 3, page 8). The targets of these campaigns,
according to Kaspersky, were located variously in Belgium, Hungary, Luxembourg and Spain [7].
Kaspersky goes on to state that by obtaining log files from the MiniDuke command and control
servers, they were able to identify high-profile victims from Ukraine, Belgium, Portugal, Romania,
the Czech Republic, Ireland, the United States and Hungary [7].
![Page 12: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/12.jpg)
F-Secure Whitepaper, September 2015
12
IMAGE 4: ONIONDUKE-TROJANIZED TORRENT FILE. Example of a torrent file containing an executable trojanized with the OnionDuke toolset.
2013: The curious case of OnionDuke
After the February campaigns, MiniDuke activity appeared to quiet down, although it did not
fully stop, for the rest of 2013. The Dukes group as a whole however showed no sign of slowing
down. In fact, we saw yet another Duke malware toolset, OnionDuke, appear first in 2013. Like
CozyDuke, OnionDuke appears to have been designed with versatility in mind, and takes a
similarly modular platform approach. The OnionDuke toolset includes various modules for
purposes such as password stealing, information gathering, denial of service (DoS) attacks, and
even posting spam to the Russian social media network, VKontakte. The OnionDuke toolset
also includes a dropper, an information stealer variant and multiple distinct versions of the core
component that is responsible for interacting with the various modules.
What makes OnionDuke especially curious is an infection vector it began using during the
summer of 2013. To spread the toolset, the Dukes used a wrapper to combine OnionDuke with
legitimate applications, created torrent files containing these trojanized applications, then
uploaded them to websites hosting torrent files (image 4, above). Victims who used the torrent
files to download the applications would end up getting infected with OnionDuke.
For most of the OnionDuke components we observed, the first versions that we are aware of were
compiled during the summer of 2013, suggesting that this was a period of active development
around this toolset. Critically however, the first sample of the OnionDuke dropper, which we have
observed being used only with components of this toolset, was compiled on the 17th of February
2013. This is significant because it suggests that OnionDuke was under development before any
part of the Duke operation became public. OnionDuke’s development therefore could not have
been simply a response to the outing of one of the other Duke malware, but was instead intended
for use alongside the other toolsets. This indication that the Dukes planned to use an arsenal of 5
malware toolsets in parallel suggests that they were operating with both significant resources and
capacity.
![Page 13: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/13.jpg)
F-Secure Whitepaper, September 2015
13
2013: The Dukes and Ukraine
In 2013, many of the decoy documents employed by the Dukes in their campaigns were related
to Ukraine; examples include a letter undersigned by the First Deputy Minister for Foreign Affairs
of Ukraine, a letter from the embassy of the Netherlands in Ukraine to the Ukrainian Ministry of
Foreign affairs and a document titled “Ukraine’s Search for a Regional Foreign Policy”. [9]
These decoy documents however were written before the start of the November 2013
Euromaidan protests in Ukraine and the subsequent upheaval. It is therefore important to note
that, contrary to what might be assumed, we have actually observed a drop instead of an increase
in Ukraine-related campaigns from the Dukes following the country’s political crisis.
This is in stark contrast to some other suspected Russian threat actors (such as Operation Pawn
Storm [10]) who appear to have increased their targeting of Ukraine following the crisis. This
supports our analysis that the overarching theme in the Dukes’ targeting is the collection of
intelligence to support diplomatic efforts. The Dukes actively targeted Ukraine before the crisis,
at a time when Russia was still weighing her options, but once Russia moved from diplomacy to
direct action, Ukraine was no longer relevant to the Dukes in the same way.
IMAGE 5: COSMICDUKE DECOY. Screenshot of a decoy document appearing to be an order for growth hormones, which was used in a CosmicDuke campaign in September 2013.
2013: CosmicDuke’s war on drugs
In a surprising turn of events, in September 2013 a CosmicDuke campaign was observed targeting
Russian speakers involved in the trade of illegal and controlled substances (image 5, above).
Kaspersky Labs, who sometimes refer to CosmicDuke as ‘Bot Gen Studio’, speculated that
“one possibility is that ‘Bot Gen Studio’ is a malware platform also available as a so-called ‘legal
spyware’ tool”; therefore, those using CosmicDuke to target drug dealers and those targeting
governments are two separate entities [11]. We however feel it is unlikely that the CosmicDuke
operators targeting drug dealers and those targeting governments could be two entirely
independent entities. A shared supplier of malware would explain the overlap in tools, but it
would not explain the significant overlap we have also observed in operational techniques related
to command and control infrastructure. Instead, we feel the targeting of drug dealers was a new
task for a subset of the Dukes group, possibly due to the drug trade’s relevance to security policy
issues. We also believe the tasking to have been temporary, because we have not observed any
further similar targeting from the Dukes after the spring of 2014.
![Page 14: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/14.jpg)
F-Secure Whitepaper, September 2015
14
2014: MiniDuke’s rise from the ashes
While MiniDuke activity decreased significantly during the rest of 2013 following the attention it
garnered from researchers, the beginning of 2014 saw the toolset back in full force. All MiniDuke
components, from the loader and downloader to the backdoor, had been slightly updated and
modified during the downtime. Interestingly, the nature of these modifications suggests that
their primary purpose was to regain the element of stealth and undetectability that had been lost
almost a year earlier.
Of these modifications, arguably the most important were the ones done to the loader. These
resulted in a loader version that would later become known as the “Nemesis Gemina loader” due
to PDB strings found in many of the samples. It is however still only an iteration on earlier versions
of the MiniDuke loader.
The first observed samples of the Nemesis Gemina loader (compiled on 14th December 2013) were
used to load the updated MiniDuke backdoor, but by the spring of 2014 the Nemesis Gemina
loader was also observed in use with CosmicDuke.
2014: CosmicDuke’s moment of fame and the scramble that ensued
Following the MiniDuke expose, CosmicDuke in turn got its moment of fame when F-Secure
published a whitepaper about it on 2nd July 2014 [5]. The next day, Kaspersky also published
their own research on the malware [11]. It should be noted that until this point, even though
CosmicDuke had been in active use for over 4 years, and had undergone minor modifications
and updates during that time, even the most recent CosmicDuke samples would often embed
persistence components that date back to 2012. These samples would also contain artefacts of
functionality from the earliest CosmicDuke samples from 2010.
It is therefore valuable to observe how the Dukes reacted to CosmicDuke’s outing at the
beginning of July. By the end of that month, CosmicDuke samples we found that had been
compiled on the 30th of July had shed unused parts of their code that had essentially just
been relics of the past. Similarly, some of the hardcoded values that had remained unaltered in
CosmicDuke samples for many years had been changed. We believe these edits were an attempt
at evading detection by modifying or removing parts of the toolset that the authors believed
might be helpful in identifying and detecting it.
Concurrently with the alterations to CosmicDuke, the Dukes were also hard at work modifying
their trusted loader. Much like the CosmicDuke toolset, the loader used by both MiniDuke and
CosmicDuke had previously only undergone one major update (the Nemesis Gemina upgrade)
since the first known samples from 2010. Again, much of the modification work focused on
removing redundant code in an attempt to appear different from earlier versions of the loader.
Interestingly however, another apparent evasion trick was also attempted - forging of the loaders’
compilation timestamps.
![Page 15: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/15.jpg)
F-Secure Whitepaper, September 2015
15
The first CosmicDuke sample we observed after the initial research on CosmicDuke was a
sample compiled on the 30th of July 2014. The loader used by the sample purported to have
been compiled on the 25th of March 2010. Due to artefacts left in the loader during compilation
time however, we know that it used a specific version of the Boost library, 1.54.0, that was only
published on the 1st of July 2013 [12]. The compilation timestamp therefore had to have been
faked. F-Secure’s whitepaper[5] on CosmicDuke includes a timeline of the loader’s usage, based
on compilation timestamps. Perhaps the Dukes group thought that by faking a timestamp from
before the earliest one cited in the whitepaper, they might be able to confuse researchers.
During the rest of 2014 and the spring of 2015, the Dukes continued making similar evasion-
focused modifications to CosmicDuke, as well as experimenting with ways to obfuscate the
loader. In the latter case however, the group appear to have also simultaneously developed an
entirely new loader, which we first observed being used in conjunction with CosmicDuke during
the spring of 2015.
While it is not surprising that the Dukes reacted to multiple companies publishing extensive
reports on one of their key toolsets, it is valuable to note the manner in which they responded.
Much like the MiniDuke expose in February 2013, the Dukes again appeared to prioritize
continuing operations over staying hidden. They could have ceased all use of CosmicDuke
(at least until they had developed a new loader) or retired it entirely, since they still had other
toolsets available. Instead, they opted for minimal downtime and attempted to continue
operations, with only minor modifications to the toolset.
2014: CozyDuke and monkey videos
While we now know that CozyDuke had been under development since at least the end of 2011, it
was not until the early days of July 2014 that the first large-scale CozyDuke campaign that we are
aware of took place. This campaign, like later CozyDuke campaigns, began with spear-phishing
emails that tried to impersonate commonly seen spam emails. These spear-phishing emails would
contain links that eventually lead the victim to becoming infected with CozyDuke.
Some of the CozyDuke spear-phishing emails from early July posed as e-fax arrival notifications,
a popular theme for spam emails, and used the same “US letter fax test page” decoy document
that was used a year later by CloudDuke. In at least one case however, the email instead contained
a link to a zip-archive file named “Office Monkeys LOL Video.zip”, which was hosted on the
DropBox cloud storage service. What made this particular case interesting was that instead of the
usual dull PDF file, the decoy was a Flash video file, more specifically a Super Bowl advertisement
from 2007 purporting to show monkeys at an office (image 6, page 16).
![Page 16: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/16.jpg)
F-Secure Whitepaper, September 2015
16
IMAGE 6: COZYDUKE DECOYS. Left - US letter fax test decoy used in CozyDuke campaigns Right - Screenshot of the monkey video decoy also used by CozyDuke
2014: OnionDuke gets caught using a malicious Tor node
On the 23rd of October 2014, Leviathan Security Group published a blog post describing a
malicious Tor exit node they had found. They noted that this node appeared to be maliciously
modifying any executables that were downloaded through it over a HTTP connection. Executing
the modified applications obtained this way would result in the victim being infected with
unidentified malware. On the 14th of November, F-Secure published a blog post naming the
malware OnionDuke and associating it with MiniDuke and CosmicDuke, the other Duke toolsets
known at the time [13].
Based on our investigations into OnionDuke, we believe that for about 7 months, from April 2014
to when Leviathan published their blog post in October 2014, the Tor exit node identified by
the researchers was being used to wrap executables on-the-fly with OnionDuke (image 7, page
13). This is similar to the way in which the toolset was being spread via trojanized applications in
torrent files during the summer of 2013.
While investigating the OnionDuke variant being spread by the malicious Tor node, we also
identified another OnionDuke variant that appeared to have successfully compromised multiple
victims in the ministry of foreign affairs of an Eastern European country during the spring of 2014.
This variant differed significantly in functionality from the one being spread via the Tor node,
further suggesting that different OnionDuke variants are intended for different kinds of victims.
We believe that, unusually, the purpose of the OnionDuke variant spread via the Tor node was
not to pursue targeted attacks but instead to form a small botnet for later use. This OnionDuke
variant is related to the one seen during the summer of 2013 being spread via torrent files. Both
of these infection vectors are highly indiscriminate and untargeted when compared to spear-
phishing, the usual infection vector of choice for the Dukes.
![Page 17: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/17.jpg)
F-Secure Whitepaper, September 2015
17
ONIONDUKE DROPPER
ONIONDUKE CORE COMPONENT
ONIONDUKE DROPPER
ONIONDUKE CORE COMPONENT
ONIONDUKE CORE COMPONENT
Drops
Drops Drops
Original binary
Original binary
Original binary
Executes
MALICIOUS TOR EXIT
NODE
VICTIMRequest
ResponseWrapped binary
MONGOLIA326
23%INDIA
26019%
OTHER235
17%
UNKNOWN1007% PAKISTAN
645%
MOROCCO62
4%
ALGERIA58
4%
28421%
3% EACH
2% EACH
1% EACH
EGYPT, 43
USA, 39
TURKEY, 38
INDONESIA, 34
SAUDI ARABIA, 25
BRAZIL, 22
PHILIPPINESS, 16
SRI LANKA, 15
BANGLADESH, 14
NEPAL, 13
CAMBODIA, 13
CHINA, 12
IMAGE 7: FLOWCHART OF HOW ONIONDUKE USES MALICIOUS TOR NODE TO INFECT VICTIMS.
IMAGE 8: GEOGRAPHICAL DISTRIBUTION OF ONIONDUKE BOTNET.
TOTAL: 1389
![Page 18: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/18.jpg)
F-Secure Whitepaper, September 2015
18
Further, the functionality of the OnionDuke variant is derived from a number of modules. While
one of these modules gathers system information and another attempts to steal the victim’s
usernames and passwords, as one would expect from a malware used for a targeted attack, the
other two known OnionDuke modules are quite the opposite; one is designed for use in DoS
attacks and the other for posting predetermined messages to the Russian VKontakte social
media site. This sort of functionality is more common in criminality-oriented botnets, not state-
sponsored targeted attacks.
We have since been able to identify at least two separate OnionDuke botnets. We believe the
formation of the first of these botnets began in January 2014, using both unidentified infection
vectors and the known malicious Tor node, and continued until our blogpost was published in
November. We believe the formation of the second botnet began in August 2014 and continued
until January 2015. We have been unable to identify the infection vectors used for this second
botnet, but the C&C servers it used had open directory listings, allowing us to retrieve files
containing listings of victim IP addresses. The geographic distribution of these IP addresses
(image 8, page 13) further supports our theory that the purpose of this OnionDuke variant was not
targeted attacks against high-profile targets.
One theory is that the botnets were a criminal side business for the Dukes group. The size of the
botnet however (about 1400 bots) is very small if its intended use is for commercial DoS attacks
or spam-sending. Alternatively, OnionDuke also steals user credentials from its victims, providing
another potential revenue source. The counter to that argument however is that the value of
stolen credentials from users in the countries with the highest percentage of OnionDuke bots
(Mongolia and India) are among the lowest on underground markets.
IMAGE 9: ONIONDUKE C&C TWEET. Screenshot of a tweet intended for OnionDuke, with a link pointing to an image file that embeds an updated version of OnionDuke.
2015: The Dukes up the ante
The end of January 2015 saw the start of the most high- volume Duke campaign seen thus far, with
thousands of recipients being sent spear-phishing emails that contained links to compromised
websites hosting CozyDuke. Curiously, the spear-phishing emails were strikingly similar to the
e-fax themed spam usually seen spreading ransomware and other common crimeware. Due to
the sheer number of recipients, it may not have been possible to customize the emails in the
same way as was possible with lower-volume campaigns.
![Page 19: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/19.jpg)
F-Secure Whitepaper, September 2015
19
The similarity to common spam may however also serve a more devious purpose. It is easy to
imagine a security analyst, burdened by the amount of attacks against their network, dismissing
such common-looking spam as “just another crimeware spam run”, allowing the campaign to, in
essence, hide in the masses [14].
The CozyDuke activity continues one of the long-running trends of the Dukes operations, the
use of multiple malware toolsets against a single target. In this case, the Dukes first attempted
to infect large numbers of potential targets with CozyDuke (and in a more obvious manner than
previously seen). They would then use the toolset to gather initial information on the victims,
before deciding which ones to pursue further. For the victims deemed interesting enough, the
Dukes would then deploy a different toolset.
We believe the primary purpose of this tactic is an attempt at evading detection in the targeted
network. Even if the noisy initial CozyDuke campaign is noticed by the victim organization, or
by someone else who then makes it publicly known, defenders will begin by first looking for
indicators of compromise (IOCs) related to the CozyDuke toolset. If however by that time the
Dukes are already operating within the victim’s network, using an another toolset with different
IOCs, then it is reasonable to assume that it will take much longer for the victim organization to
notice the infiltration.
In previous cases, the group used their malware toolsets interchangeably, as either the initial or
a later-stage toolset in a campaign. For these CozyDuke campaigns however, the Dukes appear
to have employed two particular later-stage toolsets, SeaDuke and HammerDuke, that were
purposely designed to leave a persistent backdoor on the compromised network. HammerDuke
is a set of backdoors that was first seen in the wild in February 2015, while SeaDuke is a cross-
platform backdoor that was, according to Symantec, first spotted in the wild in October 2014 [15].
Both toolsets were originally spotted being deployed by CozyDuke to its victims.
What makes SeaDuke special is that it was written in Python and designed to work on both
Windows and Linux systems; it is the first cross-platform tool we have seen from the Dukes. One
plausible reason for developing such a flexible malware might be that the group were increasingly
encountering victim environments where users were using Linux as their desktop operating
system.
Meanwhile, HammerDuke is a Windows-only malware (written in .NET) and comes in two variants.
The simpler one will connect to a hardcoded C&C server over HTTP or HTTPS to download
commands to execute. The more advanced variant, on the other hand, will use an algorithm to
generate a periodically-changing Twitter account name and will then attempt to find tweets
from that account containing links to the actual download location of the commands to execute.
In this way, the advanced HammerDuke variant attempts to hide its network traffic in more
legitimate use of Twitter. This method is not unique to HammerDuke, as MiniDuke, OnionDuke,
and CozyDuke all support similar use of Twitter (image 9, page 18) to retrieve links to additional
payloads or commands.
![Page 20: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/20.jpg)
F-Secure Whitepaper, September 2015
20
2015: CloudDuke
In the beginning of July 2015, the Dukes embarked on yet another large-scale phishing campaign.
The malware toolset used for this campaign was the previously unseen CloudDuke and we believe
that the July campaign marks the first time that this toolset was deployed by the Dukes, other
than possible small-scale testing.
The CloudDuke toolset consists of at least a loader, a downloader, and two backdoor
variants. Both backdoors (internally referred to by their authors as “BastionSolution” and
“OneDriveSolution”) essentially allow the operator to remotely execute commands on the
compromised machine. The way in which each backdoor does so however is significantly
different. While the BastionSolution variant simply retrieves commands from a hard-coded
C&C server controlled by the Dukes, the OneDriveSolution utilizes Microsoft’s OneDrive cloud
storage service for communicating with its masters, making it significantly harder for defenders
to notice the traffic and block the communication channel. What is most significant about the
July 2015 CloudDuke campaign is the timeline. The campaign appeared to consist of two distinct
waves of spear-phishing, one during the first days of July and the other starting from the 20th
of the month. Details of the first wave, including a thorough technical analysis of CloudDuke,
was published by Palo Alto Networks on 14th July [16]. This was followed by additional details from
Kaspersky in a blog post published on 16th July [17].
Both publications happened before the second wave took place and received notable publicity.
Despite the attention and public exposure of the toolset’s technical details (including IOCs) to
defenders, the Dukes still continued with their second wave of spear-phishing, including the
continued use of CloudDuke. The group did change the contents of the spear-phishing emails
they sent, but they didn’t switch to a new email format; instead, they reverted to the same efax-
themed format that they had previously employed, even to the point of reusing the exact same
decoy document that they had used in the CozyDuke campaign a year earlier (July 2014).
This once more highlights two crucial behavioral elements of the Dukes group. Firstly, as with
the MiniDuke campaigns of February 2013 and CosmicDuke campaigns in the summer of 2014,
again the group clearly prioritized the continuation of their operations over maintaining stealth.
Secondly, it underlines their boldness, arrogance and self-confidence; they are clearly confident
in both their ability to compromise their targets even when their tools and techniques are already
publicly known, and critically, they appear to be extremely confident in their ability to act with
impunity.
![Page 21: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/21.jpg)
F-Secure Whitepaper, September 2015
21
2015: Continuing surgical strikes with CosmicDuke
In addition to the notably overt and large-scale campaigns with CozyDuke and CloudDuke, the
Dukes also continued to engage in more covert, surgical campaigns using CosmicDuke. The latest
of these campaigns that we are aware of occurred during the spring and early summer of 2015.
As their infection vectors, these campaigns used malicious documents exploiting recently fixed
vulnerabilities.
Two of these campaigns were detailed in separate blog posts by the Polish security company
Prevenity, who said that both campaigns targeted Polish entities with spear- phishing emails
containing malicious attachments with relevant Polish language names [18] [19]. A third, similar,
CosmicDuke campaign was observed presumably targeting Georgian entities since it used an
attachment with a Georgian-language name that translates to “NATO consolidates control of the
Black Sea.docx”.
Based on this, we do not believe that the Dukes are replacing their covert and targeted campaigns
with the overt and opportunistic CozyDuke and CloudDuke style of campaigns. Instead, we believe
that they are simply expanding their activities by adding new tools and techniques.
IMAGE 10: TIMELINE OF KNOWN ACTIVITY FOR THE VARIOUS DUKE TOOLKITS.
2009
2010
2011
2012
2013
2014
2015
PinchDuke
GeminiDuke
CosmicDukeMiniDuke
Loader
Backdoor
CozyDuke
OnionDuke
SeaDuke
HammerDukeCloudDuke
TOOLKITS
YEAR
First known activity
Most recent known activity
LEGEND
2008
![Page 22: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/22.jpg)
F-Secure Whitepaper, September 2015
22
PINCHDUKE
First known activity November 2008
Most recent known activity Summer 2010
Other names N/A
C&C communication methods HTTP (S)
Known toolset components ◊ Multiple loaders
◊ Information stealer
TOOLS AND TECHNIQUES OF THE DUKES
The PinchDuke toolset consists of multiple loaders and a core information stealer trojan.
The loaders associated with the PinchDuke toolset have also been observed being used with
CosmicDuke.
The PinchDuke information stealer gathers system configuration information, steals user
credentials, and collects user files from the compromised host transferring these via HTTP(S) to a
C&C server. We believe PinchDuke’s credential stealing functionality is based on the source code
of the Pinch credential stealing malware (also known as LdPinch) that was developed in the early
2000s and has later been openly distributed on underground forums.
Credentials targeted by PinchDuke include ones associated with the following software or
services:
• The Bat!
• Yahoo!
• Mail.ru
• Passport.Net
• Google Talk
• Netscape Navigator
• Mozilla Firefox
• Mozilla Thunderbird
• Internet Explorer
• Microsoft Outlook
• WinInet Credential Cache
• Lightweight Directory Access Protocol (LDAP)
![Page 23: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/23.jpg)
F-Secure Whitepaper, September 2015
23
GEMINIDUKE
First known activity January 2009
Most recent known activity December 2012
Other names N/A
C&C communication methods HTTP (S)
Known toolset components ◊ Loader
◊ Information stealer
◊ Multiple persistence components
PinchDuke will also search for files that have been created within a predefined timeframe and
whose file extension is present in a predefined list.
As a curiosity, most PinchDuke samples contain a Russian language error message:“Ошибка названия модуля! Название секции данных должно быть 4 байта!”
Which roughly translates to: “There is an error in the module’s name! The length of the data
section name must be 4 bytes!”
The GeminiDuke toolset consists of a core information stealer, a loader and multiple persistence-
related components. Unlike CosmicDuke and PinchDuke, GeminiDuke primarily collects
information on the victim computer’s configuration. The collected details include:
• Local user accounts
• Network settings
• Internet proxy settings
• Installed drivers
• Running processes
• Programs previously executed by users
• Programs and services configured to automatically run at startup
• Values of environment variables
• Files and folders present in any users home folder
• Files and folders present in any users My Documents
• Programs installed to the Program Files folder
• Recently accessed files, folders and programs
![Page 24: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/24.jpg)
F-Secure Whitepaper, September 2015
24
As is common for malware, the GeminiDuke infostealer uses a mutex to ensure that only one
instance of itself is running at a time. What is less common is that the name used for the mutex
is often a timestamp. We believe these timestamps to be generated during the compilation of
GeminiDuke from the local time of the computer being used.
Comparing the GeminiDuke compilation timestamps, which always reference the time in the
UTC+0 timezone, with the local time timestamps used as mutex names, and adjusting for the
presumed timezone difference, we note that all of the mutex names reference a time and date
that is within seconds of the respective sample’s compilation timestamp. Additionally, the
apparent timezone of the timestamps in all of the GeminiDuke samples compiled during the
winter is UTC+3, while for samples compiled during the summer, it is UTC+4.
The observed timezones correspond to the pre-2011 definition of Moscow Standard Time (MSK) [20], which was UTC+3 during the winter and UTC+4 during the summer. In 2011 MSK stopped
following Daylight Saving Time (DST) and was set to UTC+4 year-round, then reset to UTC +3 year-
round in 2014. Some of the observed GeminiDuke samples that used timestamps as mutex names
were compiled while MSK still respected DST and for these samples, the timestamps perfectly
align with MSK as it was defined at the time.
Map of timezones in Russia; © Eric Muller [23] Pink: MSK (UTC +3) ; Orange: UTC +4
However, GeminiDuke samples compiled after MSK was altered still vary the timezone between
UTC+3 in the winter and UTC+4 during the summer. While computers using Microsoft Windows
automatically adjust for DST, changes in timezone definitions require that an update to Windows
be installed. We therefore believe that the Dukes group simply failed to update the computer
they were using to compile GeminiDuke samples, so that the timestamps seen in later samples
still appear to follow the old definition of Moscow Standard Time.
The GeminiDuke infostealer has occasionally been wrapped with a loader that appears to be
unique to GeminiDuke and has never been observed being used with any of the other Duke
toolsets. GeminiDuke also occasionally embeds additional executables that attempt to achieve
persistence on the victim computer. These persistence components appear to be uniquely
customized for use with GeminiDuke, but they use many of the same techniques as CosmicDuke
persistence components.
![Page 25: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/25.jpg)
F-Secure Whitepaper, September 2015
25
COSMICDUKE
First known activity January 2010
Most recent known activity Summer 2015
Other namesTinybaron, BotgenStudios,
NemesisGemina
C&C communication methods HTTP (S), FTP, WebDav
Known toolset components◊ Information stealer
◊ Multiple loaders
◊ Privilege escalation component
◊ Multiple persistence components
The CosmicDuke toolset is designed around a main information stealer component. This
information stealer is augmented by a variety of components that the toolset operators may
selectively include with the main component to provide additional functionalities, such as
multiple methods of establishing persistence, as well as modules that attempt to exploit privilege
escalation vulnerabilities in order to execute CosmicDuke with higher privileges. CosmicDuke’s
information stealing functionality includes:
• Keylogging
• Taking screenshots
• Stealing clipboard contents
• Stealing user files with file extensions that match a predefined list
• Exporting the users cryptographic certificates including private keys
• Collecting user credentials, including passwords, for a variety of popular chat and email
programs as well as from web browsers
CosmicDuke may use HTTP, HTTPS, FTP or WebDav to exfiltrate the collected data to a hardcoded
C&C server.
While we believe CosmicDuke to be an entirely custom- written toolset with no direct sharing
of code with other Duke toolsets, the high-level ways in which many of its features have been
implemented appear to be shared with other members of the Duke arsenal.
Specifically, the techniques CosmicDuke uses to extract user credentials from targeted software
and to detect the presence of analysis tools appear to be based on the techniques used by
PinchDuke. Likewise, many of CosmicDuke’s persistence components use techniques also used
by components associated with GeminiDuke and CozyDuke. In all of these cases, the techniques
are the same, but the code itself has been altered to work with the toolset in question, leading to
small differences in the final implementation.
![Page 26: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/26.jpg)
F-Secure Whitepaper, September 2015
26
A few of the CosmicDuke samples we discovered also included components that attempt to
exploit either of the publicly known CVE-2010-0232 or CVE-2010- 4398 privilege escalation
vulnerabilities. In the case of CVE-2010-0232, the exploit appears to be based directly on the
proof of concept code published by security researcher Tavis Ormandy when he disclosed the
vulnerability [4]. We believe that the exploit for CVE- 2010-4398 was also based on a publicly
available proof of concept [21].
In addition to often embedding persistence or privilege escalation components, CosmicDuke has
occasionally embedded PinchDuke, GeminiDuke, or MiniDuke components. It should be noted
that CosmicDuke does not interoperate with the second, embedded malware in any way other
than by writing the malware to disk and executing it. After that, CosmicDuke and the second
malware operate entirely independently of each other, including separately contacting their C&C
servers. Sometimes, both malware have used the same C&C server, but in other cases, even the
servers have been different.
Finally, it is worth noting that while most of the compilation timestamps for CosmicDuke samples
appear to be authentic, we are aware of a few cases of them being forged. One such case was
detailed on page 10 as an apparent evasion attempt. Another is a loader variant seen during the
spring of 2010 in conjunction with both CosmicDuke and PinchDuke. These loader samples all had
compilation timestamps purporting to be from the 24th or the 25th of September, 2001. However,
many of these loader samples embed CosmicDuke variants that exploit the CVE-2010- 0232
privilege escalation vulnerability thus making it impossible for the compilation timestamps to be
authentic.
Further reading
1. Timo Hirvonen; F-Secure Labs; CosmicDuke: Cosmu with a Twist of MiniDuke; published 2 July 2014; https://www.f-
secure.com/ documents/996508/1030745/cosmicduke_ whitepaper.pdf
2. GReAT; Securelist; Miniduke is back: Nemesis Gemina and the Botgen Studio; published 3 July 2014; https://securelist.
com/blog/ incidents/64107/miniduke-is-back-nemesis- gemina-and-the-botgen-studio/
![Page 27: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/27.jpg)
F-Secure Whitepaper, September 2015
27
The MiniDuke toolset consists of multiple downloader and backdoor components, which are
commonly referred to as the MiniDuke “stage 1”, “stage 2”, and “stage 3” components as per
Kaspersky’s original MiniDuke whitepaper. Additionally, a specific loader is often associated with
the MiniDuke toolset and is referred to as the “MiniDuke loader”.
While the loader has often been used together with other MiniDuke components, it has also
commonly been used in conjunction with CosmicDuke and PinchDuke. In fact, the oldest samples
of the loader that we have found were used with PinchDuke. To avoid confusion however, we have
decided to continue referring to the loader as the “MiniDuke loader”.
Two details about MiniDuke components are worth noting. Firstly, some of the MiniDuke
components were written in Assembly language. While many malware were written in Assembly
during the ‘old days‘ of curiosity-driven virus writing, it has since become a rarity. Secondly, some
of the MiniDuke components do not contain a hardcoded C&C server address, but instead obtain
the address of a current C&C server via Twitter. The use of Twitter either to initially obtain the
address of a C&C server (or as a backup if no hardcoded primary C&C server responds) is a feature
also found in OnionDuke, CozyDuke, and HammerDuke.
Further reading
1. Costin Raiu, Igor Soumenkov, Kurt Baumgartner, Vitaly Kamluk; Kaspersky Lab; The MiniDuke Mystery: PDF 0-day
Government Spy Assembler 0x29A Micro Backdoor; published 27 February 2013; http://kasperskycontenthub.com/
wp-content/ uploads/sites/43/vlpdfs/themysteryofthepdf0-dayassemblermicrobackdoor.pdf
2. CrySyS Blog; Miniduke; published 27 February 2013; http://blog.crysys.hu/2013/02/miniduke/
3. Marius Tivadar, Bíró Balázs, Cristian Istrate; BitDefender; A Closer Look at MiniDuke; published April 2013; http://labs.
bitdefender. com/wp-content/uploads/downloads/2013/04/ MiniDuke_Paper_Final.pdf
4. CIRCL - Computer Incident Response Center Luxembourg; Analysis Report (TLP:WHITE) Analysis of a stage 3 Miniduke
sample; published 30 May 2013; https://www.circl.lu/files/tr-14/ circl-analysisreport-miniduke-stage3-public.pdf
5. ESET WeLiveSecurity blog; Miniduke still duking it out; published 20 May 2014; http://www. welivesecurity.
com/2014/05/20/miniduke-still-duking/
MINIDUKE
First known activity• Loader July 2010
• Backdoor May 2011
Most recent known activity• Loader: Spring 2015
• Backdoor: Summer 2014
Other names N/A
C&C communication methods HTTP (S), Twitter
Known toolset components ◊ Downloader
◊ Backdoor
◊ Loader
![Page 28: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/28.jpg)
F-Secure Whitepaper, September 2015
28
CozyDuke is not simply a malware toolset; rather, it is a modular malware platform formed around
a core backdoor component. This component can be instructed by the C&C server to download
and execute arbitrary modules, and it is these modules that provide CozyDuke with its vast array
of functionality. Known CozyDuke modules include:
• Command execution module for executing arbitrary Windows Command Prompt commands
• Password stealer module
• NT LAN Manager (NTLM) hash stealer module
• System information gathering module
• Screenshot module
In addition to modules, CozyDuke can also be instructed to download and execute other,
independent executables. In some observed cases, these executables were self-extracting
archive files containing common hacking tools, such as PSExec and Mimikatz, combined with
script files that execute these tools. In other cases, CozyDuke has been observed downloading
and executing tools from other toolsets used by the Dukes such as OnionDuke, SeaDuke, and
HammerDuke.
EXAMPLES OF COZYDUKE PDB STRINGS
• E:\Visual Studio 2010\Projects\Agent_NextGen\Agent2011v3\Agent2011\Agent\tasks\bin\ GetPasswords\exe\GetPasswords.pdb
• D:\Projects\Agent2011\Agent2011\Agent\tasks\bin\systeminfo\exe\systeminfo.pdb
• \\192.168.56.101\true\soft\Agent\tasks\Screenshots\agent_screeshots\Release\agent_ screeshots.pdb
Further reading
1. Artturi Lehtio; F-Secure Labs; CozyDuke; published 22 April 2015; https://www.f-secure. com/documents/996508/ 1030745/CozyDuke
2. Kurt Baumgartner, Costin Raiu; Securelist; The CozyDuke APT; 21 April 2015; https://securelist. com/blog/research/69731/the-cozyduke-apt/
COZYDUKE
First known activity January 2010
Most recent known activity: Spring 2015
Other names CozyBear, CozyCar, Cozer, EuroAPT
C&C communication methods HTTP (S), Twitter (backup)
Known toolset components
◊ Dropper
◊ Modular backdoor
◊ Multiple persistence components
◊ Information gathering module
◊ Screenshot module
◊ Password stealing module
◊ Password hash stealing module
![Page 29: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/29.jpg)
F-Secure Whitepaper, September 2015
29
The OnionDuke toolset includes at least a dropper, a loader, an information stealer trojan and
multiple modular variants with associated modules.
OnionDuke first caught our attention because it was being spread via a malicious Tor exit node.
The Tor node would intercept any unencrypted executable files being downloaded and modify
those executables by adding a malicious wrapper contained an embedded OnionDuke. Once
the victim finished downloading the file and executed it, the wrapper would infect the victim’s
computer with OnionDuke before executing the original legitimate executable.
The same wrapper has also been used to wrap legitimate executable files, which were then
made available for users to download from torrent sites. Again, if a victim downloaded a torrent
containing a wrapped executable, they would get infected with OnionDuke.
Finally, we have also observed victims being infected with OnionDuke after they were already
infected with CozyDuke. In these cases, CozyDuke was instructed by its C&C server to download
and execute OnionDuke toolset.
Further reading
1. Artturi Lehtio; F-Secure Weblog; OnionDuke: APT Attacks Via the Tor Network; published 14 November 2014; https://
www.f-secure.com/ weblog/archives/00002764.html
ONIONDUKE
First known activity February 2013
Most recent known activity Spring 2015
Other names N/A
C&C communication methods HTTP (S), Twitter (backup)
Known toolset components
◊ Dropper
◊ Loader
◊ Multiple modular core components
◊ Information stealer
◊ Distributed Denial of Service (DDoS)
module
◊ Password stealing module
◊ Information gathering module
◊ Social network spamming module
![Page 30: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/30.jpg)
F-Secure Whitepaper, September 2015
30
SeaDuke is a simple backdoor that focuses on executing commands retrieved from its C&C server,
such as uploading and downloading files, executing system commands and evaluating additional
Python code. SeaDuke is made interesting by the fact that it is written in Python and designed to
be cross-platform so that it works on both Windows and Linux.
The only known infection vector for SeaDuke is via an existing CozyDuke infection, wherein
CozyDuke downloads and executes the SeaDuke toolset.
Like HammerDuke, SeaDuke appears to be used by the Dukes group primarily as a secondary
backdoor left on CozyDuke victims after that toolset has completed the initial infection and
stolen any readily available information from them.
EXAMPLE OF CROSS-PLATFORM SUPPORT FOUND IN SEADUKE'S SOURCE CODE
Further reading
1. Symantec Security Response; “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory; published 13 July 2015;
http://www.symantec.com/connect/blogs/ forkmeiamfamous-seaduke-latest-weapon- duke-armory
2. Josh Grunzweig; Palo Alto Networks; Unit 42 Technical Analysis: Seaduke; published 14 July 2015;
http://researchcenter.paloaltonetworks. com/2015/07/unit-42-technical-analysis- seaduke/
3. Artturi Lehtio; F-Secure Weblog; Duke APT group’s latest tools: cloud services and Linux support; published 22 July
2015; https://www.f- secure.com/weblog/archives/00002822.html
SEADUKE
First known activity October 2014
Most recent known activity Spring 2015
Other names SeaDaddy, SeaDask
C&C communication methods HTTP (S)
Known toolset components ◊ Backdoor
![Page 31: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/31.jpg)
F-Secure Whitepaper, September 2015
31
HammerDuke is a simple backdoor that is apparently designed for similar use cases as SeaDuke.
Specifically, the only known infection vector for HammerDuke is to be downloaded and executed
by CozyDuke onto a victim that has already been compromised by that toolset. This, together
with HammerDuke’s simplistic backdoor functionality, suggests that it is primarily used by the
Dukes group as a secondary backdoor left on CozyDuke victims after CozyDuke performed the
initial infection and stole any readily available information from them.
HammerDuke is however interesting because it is written in .NET, and even more so because
of its occasional use of Twitter as a C&C communication channel. Some HammerDuke variants
only contain a hardcoded C&C server address from which they will retrieve commands, but other
HammerDuke variants will first use a custom algorithm to generate a Twitter account name based
on the current date. If the account exists, HammerDuke will then search for tweets from that
account with links to image files that contain embedded commands for the toolset to execute.
HammerDuke’s use of Twitter and crafted image files is reminiscent of other Duke toolsets. Both
OnionDuke and MiniDuke also use date-based algorithms to generate Twitter account names
and then searched for any tweets from those accounts that linked to image files. In contrast
however, for OnionDuke and MiniDuke the linked image files contain embedded malware to be
downloaded and executed, rather than instructions.
Similarly, GeminiDuke may also download image files, but these would contain embedded
additional configuration information for the toolset itself. Unlike HammerDuke however, the
URLs for the images downloaded by GeminiDuke are hardcoded in its initial configuration, rather
than retrieved from Twitter.
Further reading
1. FireEye; HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group; published July 2015;
https://www2.fireeye.com/rs/848-DID-242/ images/rpt-apt29-hammertoss.pdf *
*APT29 is the name used by FireEye to identify the cyberespionagegroup we refer to as the Dukes.
HAMMERDUKE
First known activity January 2015
Most recent known activity Summer 2015
Other names HAMMERTOSS, Netduke
C&C communication methods HTTP (S), Twitter
Known toolset components ◊ Backdoor
![Page 32: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/32.jpg)
F-Secure Whitepaper, September 2015
32
CloudDuke is a malware toolset known to consist of, at least, a downloader, a loader and two
backdoor variants. The CloudDuke downloader will download and execute additional malware
from a preconfigured location. Interestingly, that location may be either a web address or a
Microsoft OneDrive account.
Both CloudDuke backdoor variants support simple backdoor functionality, similar to SeaDuke.
While one variant will use a preconfigured C&C server over HTTP or HTTPS, the other variant will
use a Microsoft OneDrive account to exchange commands and stolen data with its operators.
Further reading
1. Artturi Lehtio; F-Secure Weblog; Duke APT group’s latest tools: cloud services and Linux support; published 22 July
2015; https://www.f-secure. com/weblog/archives/00002822.html
2. Brandon Levene, Robert Falcone and Richard Wartell; Palo Alto Networks; Tracking MiniDionis: CozyCar’s New
Ride Is Related to Seaduke; published 14 July 2015; http://researchcenter. paloaltonetworks.com/2015/07/tracking-
minidionis-cozycars-new-ride-is-related-to- seaduke/
3. Segey Lozhkin; Securelist; Minidionis – one more APT with a usage of cloud drives; published 16 July 2015;
https://securelist.com/blog/ research/71443/minidionis-one-more-apt-with- a-usage-of-cloud-drives/
CLOUDDUKE
First known activity June 2015
Most recent known activity Summer 2015
Other names MiniDionis, CloudLook
C&C communication methods HTTP (S), Microsoft OneDrive
Known toolset components
◊ Downloader
◊ Loader
◊ Two backdoor variants
![Page 33: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/33.jpg)
F-Secure Whitepaper, September 2015
33
INFECTION VECTORS
The Dukes primarily use spear-phishing emails when attempting to infect victims with their
malware. These spear-phishing emails range from ones purposely designed to look like spam
messages used to spread common crimeware and addressed to large numbers of people, to
highly targeted emails addressed to only a few recipients (or even just one person) and with
content that is highly relevant for the intended recipient(s). In some cases, the Dukes appear to
have used previously compromised victims to send new spear-phishing emails to other targets.
The spear-phishing emails used by the Dukes may contain either specially-crafted malicious
attachments or links to URLs hosting the malware. When malicious attachments are used, they
may either be designed to exploit a vulnerability in a popular software assumed to be installed on
the victim’s machine, such as Microsoft Word or Adobe Reader, or the attachment itself may have
its icon and filename obfuscated in such a way that the file does not appear to be an executable.
The only instances which we are aware of where the Dukes did not use spear-phishing as the
initial infection vector is with certain OnionDuke variants. These were instead spread using either
a malicious Tor node that would trojanize legitimate applications on-the-fly with the OnionDuke
toolset, or via torrent files containing previously trojanized versions of legitimate applications.
Finally, it is worth noting that the Dukes are known to sometimes re-infect a victim of one of
their malware tools with another one of their tools. Examples include CozyDuke infecting its
victims with SeaDuke, HammerDuke,or OnionDuke; and CosmicDuke infecting its victims with
PinchDuke,GeminiDuke or MiniDuke.
DECOYS
The Dukes commonly employ decoys with their infection vectors. These decoys may be image
files, document files, Adobe Flash videos or similar that are presented to the victim during
the infection process in an attempt to distract them from the malicious activity. The contents
of these decoys range from non-targeted material such as videos of television commercials
showing monkeys at an office, to highly targeted documents with content directly relevant to the
intended recipient such as reports, invitations, or lists of participants to an event.
Usually, the contents of the decoys appear to be taken from public sources, either by copying
publicly accessible material such as a news report or by simply repurposing a legitimate file that
has been openly distributed. In some cases however, highly targeted decoys have been observed
using content that does not appear to be publicly available, suggesting that these contents may
have been stolen from other victims that had been infected by Duke toolsets.
![Page 34: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/34.jpg)
F-Secure Whitepaper, September 2015
34
EXPLOITATION OF VULNERABILITIES
The Dukes have employed exploits both in their infection vectors as well as in their malware. We
are however only aware of one instance - the exploitation of CVE-2013-0640 to deploy MiniDuke
- where we believe the exploited vulnerability was a zero-day at the time that the group acquired
the exploit. In all known cases where exploits were employed, we believe the Dukes did not
themselves discover the vulnerabilities or design the original exploits; for the exploited zero-day,
we believe the Dukes purchased the exploit. In all other cases, we believe the group simply
repurposed publicly available exploits or proofs of concept.
ATTRIBUTION AND STATE-SPONSORSHIP
Attribution is always a difficult question, but attempting to answer it is important in understanding
these types of threats and how to defend against them. This paper has already stated that we
believe the Dukes to be a Russian state-sponsored cyberespionage operation. To reach this
conclusion, we began by analyzing the apparent objectives and motivations of the group.
Based on what we currently know about the targets chosen by the Dukes over the past 7 years,
they appear to have consistently targeted entities that deal with foreign policy and security policy
matters. These targets have included organizations such as ministries of foreign affairs, embassies,
senates, parliaments, ministries of defense, defense contractors, and think tanks.
In one of their more intriguing cases, the Dukes have appeared to also target entities involved
in the trafficking of illegal drugs. Even such targets however appear to be consistent with the
overarching theme, given the drug trade’s relevance to security policy. Based on this, we are
confident in our conclusion that the Dukes’ primary mission is the collection of intelligence to
support foreign and security policy decision-making.
This naturally leads to the question of state-sponsorship. Based on our establishment of the
group’s primary mission, we believe the main benefactor (or benefactors) of their work is a
government. But are the Dukes a team or a department inside a government agency? An external
contractor? A criminal gang selling to the highest bidder? A group of tech-savvy patriots? We
don’t know.
Based on the length of the Dukes’ activity, our estimate of the amount of resources invested in
the operation and the fact that their activity only appears to be increasing, we believe the group
to have significant and most critically, stable financial backing. The Dukes have consistently
operated large-scale campaigns against high-profile targets while concurrently engaging in
smaller, more targeted campaigns with apparent coordination and no evidence of unintentional
overlap or operational clashes. We therefore believe the Dukes to be a single, large, well-
coordinated organization with clear separation of responsibilities and targets.
![Page 35: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/35.jpg)
F-Secure Whitepaper, September 2015
35
The Dukes appear to prioritize the continuation of their operations over stealth. Their 2015
CozyDuke and CloudDuke campaigns take this to the extreme by apparently opting for speed and
quantity over stealth and quality. In the most extreme case, the Dukes continued with their July
2015 CloudDuke campaign even after their activity had been outed by multiple security vendors.
We therefore believe the Dukes’ primary mission to be so valuable to their benefactors that its
continuation outweighs everything else.
This apparent disregard for publicity suggests, in our opinion, that the benefactors of the Dukes
is so powerful and so tightly connected to the group that the Dukes are able to operate with
no apparent fear of repercussions on getting caught. We believe the only benefactor with the
power to offer such comprehensive protection would be the government of the nation from
which the group operates. We therefore believe the Dukes to work either within or directly for a
government, thus ruling out the possibility of a criminal gang or another third party.
This leaves us with the final question: which country? We are unable to conclusively prove
responsibility of any specific country for the Dukes. All of the available evidence however does in
our opinion suggest that the group operates on behalf of the Russian Federation. Further, we are
currently unaware of any evidence disproving this theory.
Kaspersky Labs has previously noted the presence of Russian-language artefacts in some of
the Duke malware samples [9]. We have also found a Russian-language error message in many
PinchDuke samples: “Ошибка названия модуля! Название секции данных должно быть 4 байта!” This roughly translates as, “There is an error in the module’s name! The length
of the data section name must be 4 bytes!”
Additionally, Kaspersky noted that based on the compilation timestamps, the authors of the Duke
malware appear to primarily work from Monday to Friday between the times of 6am and 4pm
UTC+0 [11]. This corresponds to working hours between 9am and 7pm in the UTC+3 time zone,
also known as Moscow Standard Time, which covers, among others, much of western Russia,
including Moscow and St. Petersburg.
The Kaspersky Labs analysis of the Duke malware authors’ working times is supported by our own
analysis, as well as that performed by FireEye [22]. This assertion of time zone is also supported by
timestamps found in many GeminiDuke samples, which similarly suggest the group work in the
Moscow Standard Time timezone, as further detailed in the section on the technical analysis of
GeminiDuke (page 23).
Finally, the known targets of the Dukes - Eastern European foreign ministries, western think tanks
and governmental organizations, even Russian-speaking drug dealers - conform to publicly-
known Russian foreign policy and security policy interests. Even though the Dukes appear to
have targeted governments all over the world, we are unaware of them ever targeting the Russian
government. While absence of evidence is not evidence of absence, it is an interesting detail to
note.
![Page 36: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/36.jpg)
F-Secure Whitepaper, September 2015
36
Based on the presented evidence and analysis, we believe, with a high level of confidence, that
the Duke toolsets are the product of a single, large, well-resourced organization (which we
identify as the Dukes) that provides the Russian government with intelligence on foreign and
security policy matters in exchange for support and protection.
![Page 37: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/37.jpg)
F-Secure Whitepaper, September 2015
37
BIBLIOGRAPHY
1. The White House; Remarks By President Barack Obama In Prague As Delivered; published 5 April 2009; [Online].
Available: https://www.whitehouse.gov/the-press-office/remarks-president-barack-obama-prague-delivered
2. Wikipedia; KavKaz Center; [Online]. Available: https://en.wikipedia.org/wiki/Kavkaz_Center
3. BBC: Nato exercises ‘a dangerous move’; published 17 April 2009; [Online]. Available: http://news.bbc.co.uk/2/hi/
europe/8004399.stm
4. Tavis Ormandy; Seclists.org; Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack; published 19
January 2010; [Online]. Available: http://seclists.org/fulldisclosure/2010/Jan/341
5. Timo Hirvonen; F-Secure Labs; CosmicDuke: Cosmu with a Twist of MiniDuke; published 2 July 2014; [Online]. Available:
https://www.f-secure.com/documents/996508/1030745/cosmicduke_whitepaper.pdf
6. Yichong Lin, James T. Bennett, Thoufique Haq; FireEye Threat Research blog; In Turn, It’s PDF Time; published 12
February 2013; [Online]. Available: https://www.fireeye.com/blog/threat-research/2013/02/in-turn-its-pdf- time.html
7. Costin Raiu, Igor Soumenkov, Kurt Baumgartner, Vitaly Kamluk; Kaspersky Lab; The MiniDuke Mystery: PDF 0-day
Government Spy Assembler 0x29A Micro Backdoor; published 27 February 2013; [Online]. Available: http://
kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/themysteryofthepdf0- dayassemblermicrobackdoor.
8. Laboratory of Cryptography and System Security (CrySyS Lab); Miniduke: Indicators; published 27 February 2013;
[Online]. Available: http://www.crysys.hu/miniduke/miniduke_indicators_public.pdf
9. Mikko Hypponen; F-Secure Weblog; Targeted Attacks and Ukraine; published 1 April 2014; [Online]. Available: https://
www.f-secure.com/weblog/archives/00002688.html
10. Feike Hacquebord; Trend Micro; Pawn Storm’s Domestic Spying Campaign Revealed; Ukraine and US Top Global Targets;
published 18 August 2015; [Online]. Available: http://blog.trendmicro.com/trendlabs-security- intelligence/pawn-
storms-domestic-spying-campaign-revealed-ukraine-and-us-top-global-targets/
11. GReAT; Securelist; Miniduke is back: Nemesis Gemina and the Botgen Studio; published 3 July 2014; [Online]. Available:
https://securelist.com/blog/incidents/64107/miniduke-is-back-nemesis-gemina-and-the-botgen- studio/
12. Boost C++ Libraries; Version 1.54.0; published 1 July 2013; [Online]. Available: http://www.boost.org/users/ history/
version_1_54_0.html
13. Artturi Lehtio; F-Secure Weblog; OnionDuke: APT Attacks Via the Tor Network; published 14 November 2014; [Online].
Available: https://www.f-secure.com/weblog/archives/00002764.html
14. Artturi Lehtio; F-Secure Labs; CozyDuke; published 22 April 2015; [Online]. Available: https://www.f-secure.com/
documents/996508/ 1030745/CozyDuke
15. Symantec Security Response; “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory; published 13 July 2015;
[Online]. Available: http://www.symantec.com/connect/blogs/forkmeiamfamous-seaduke-latest- weapon-duke-
armory
16. Brandon Levene, Robert Falcone and Richard Wartell; Palo Alto Networks; Tracking MiniDionis: CozyCar’s New Ride Is
Related to Seaduke; published 14 July 2015; [Online]. Available: http://researchcenter.paloaltonetworks. com/2015/07/
tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/
17. Segey Lozhkin; Securelist; Minidionis – one more APT with a usage of cloud drives; published 16 July 2015; [Online].
Available: https://securelist.com/blog/research/71443/minidionis-one-more-apt-with-a-usage-of-cloud- drives/
18. malware@prevenity; Malware w 5 rocznicę katastrofy samolotu; published 22 April 2015; [Online]. Available: http://
malware.prevenity.com/2015/04/malware-w-5-rocznice-katastrofy-samolotu.html (in Polish)19. malware@prevenity; Wykradanie danych z instytucji publicznych; published 11 August 2015; [Online]. Available: http://
malware.prevenity.com/2015/08/wykradanie-danych-z-instytucji.html (in Polish)20. Wikipedia; Moscow Time; [Online]. Available: https://en.wikipedia.org/wiki/Moscow_Time
21. Exploit Database; CVE: 2010-4398; published 24 November 2014; [Online]. Available: https://www.exploit-db.com/
exploits/15609/
22. FireEye; HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group; published July 2015; [Online]. Available:
https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf *
23. tz_world, an efele.net/tz map; Eric Muller; tz_russia, an efele.net/tz map: A shapefile of the TZ timezones of Russia;
published 2 May 2013; [Online]. Available: http://efele.net/maps/tz/russia/
![Page 38: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/38.jpg)
F-Secure Whitepaper, September 2015
38
PinchDuke
Campaign identifiers
• alkavkaz.com20081105
• cihaderi.net20081112
• 20090111
• diploturk_20090305_faruk
• 20090310I
• mofa.go.ug_20090317
• plcz_20090417
• 20090421_NN1
• 20090427_n_8
• 20090513_Cr
• natoinfo_ge
• 20090608_G
• mod_ge_2009_07_03
• 20090909_Bel
• mofa-go-ug-2009-09-09
• 20091008_Af
• nat_20092311
• turtsia_20091128
• mfagovtr_20091204
• modge_20100126
• GEN20100215
• par_ge_20100225
• pr_ge_20100225
• tika_20100326
• harpa_20100329
• sanat_20100412
• mfakg_20100413
• leskz_20100414
• leskg_20100422
• az_emb_uz_20100518
• sat_20100524
• emb_azerb_uz_20100609
• sat_2010_07_26
• kaz_2010_07_30
Malware SHA1 hashes
• 07b4e44b6b3e1c3904ded7d6c9dcf7fa609467ef
• 0cf68d706c38ab112e0b667498c24626aec730f6
• 155004c1cc831a7f39caf2bec04f1841b61af802
• 17df96e423320ddfb7664413bf562a6b1aaef9d4
• 1c124e1523fcbef25c4f3074b1f8088bcad2230f
• 285ac0fb341e57c87964282f621b3d1f018ab7ea
• 2f156a9f861cda356c4ddf332d71937ac9962c68
• 333f5acc35ea0206f7d1deadcb94ca6ec9564d02
• 34af1909ec77d2c3878724234b9b1e3141c91409
• 383fc3c218b9fb0d4224d69af66caf09869b4c73
• 45ee9aa9f8ef3a9cc0b4b250766e7a9368a30934
• 52164782fc9f8a2a6c4be2b9cd000e4a60a860ed
• 7371eecafbaeefd0dc5f4dd5737f745586133f59
• 797b3101b9352be812b8d411179ae765e14065a6
• a10f2dc5dbdbf1a11ebe4c3e59a4c0e5d14bcc8a
• a3dfb5643c824ae0c3ba2b7f3efb266bfbf46b02
• ad2cac618ab9d9d4a16a2db32410607bbf98ce8f
• bf48d8126e84185e7825b69951293271031cbad4
• c1e229219e84203ba9e26f2917bd268656ff4716
• c59114c79e3d3ddd77d6919b88bc99d40205e645
• c8ae844baea44ec1db172ae9b257dbac04dcbbe7
• d5905327f213a69f314e2503c68ef5b51c2d381e
• e7720ab728cb18ea329c7dd7c9b7408e266c986b
• fdc65f38f458ceddf5a5e3f4b44df7337a1fb415
• fdfd9abbaafe0bee747c0f1d7963d903174359df
Exploit file SHA1 hashes
• 50f8ea7eb685656c02a83420b3910d14ac588c8b
• 9fae684a130c052ad2b55ebaf7f6e513c0e62abe
APPENDIX I: DATA LISTINGS
![Page 39: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/39.jpg)
F-Secure Whitepaper, September 2015
39
GeminiDuke
Malware SHA1 hashes
• 3ed561786ca07c8e9862f4f682c1828a039d6dd4
• 6b0b8ad038c7ae2efbad066b8ba22de859b81f98
• a3653091334892cf97a55715c7555c8881230bc4
• b14b9241197c667f00f86d096d71c47d6fa9aca6
• c011552d61ac5a87d95e43b90f2bf13077856def
CosmicDuke
Malware SHA1 hashes
• 01e5080b832c6e4fcb7b9d06caffe03dab8d95da
• 02f55947402689ec755356ab6b0345a592446da7
• 03c5690728b7dffb2f4ab947fe390264751428aa
• 0653a8f06b140f4fac44acb3be723d7bb2602558
• 0bc8485ce6c24bb888e2329d479c9b7303bb98b4
• 0c8db6542172de98fa16c9bacfef9ed4099fd872
• 0d8f41fe09dbd75ab953f9e64a6cdbbbc198bf2b
• 0e5f55676e01d8e41d77cdc43489da8381b68086
• 0ff7ce34841c03c876b141c1f46d0ff2519889cc
• 11b5cfb37efb45d2c721cbf20cab7c1f5c1aa44b
• 151362502d569b16453e84a2f5d277d8e4e878c2
• 174373ab44cf6e7355f9dbb8469453519cb61a44
• 18d983ba09da695ce704ab8093296366b543996a
• 1a31245e943b131d81375d70b489d8e4bf3d6dce
• 1ce049522c4df595a1c4c9e9ca24be72dc5c6b28
• 1df78a1dc0aa3382fcc6fac172b70aafd0ed8d3d
• 1e5c6d3f64295cb36d364f7fa183177a3f5e6b7e
• 2345cd5c112e55ba631dac539c8efab850c536b2
• 2b1e7d54723cf9ee2fd133b8f17fa99470d7a51a
• 322e042cf1cb43a8072c4a4cbf6e37004a88d6f7
• 332aac7bdb0f697fd96e35c31c54d15e548061f4
• 365f61c7886ca82bfdf8ee19ce0f92c4f7d0901e
• 3980f0e3fe80b2e7378325ab64ecbe725ae5eca9
• 3f4a5bf72a15b7a8638655b24eb3359e229b9aea
• 42dbfbedd813e6dbea1398323f085a88fa014293
• 4a9875f646c5410f8317191ef2a91f934ce76f57
• 4aaac99607013b21863728b9453e4ffee67b902e
• 4e3c9d7eb8302739e6931a3b5b605efe8f211e51
• 4fbc518df60df395ea27224cb85c4da2ff327e98
• 4fd46c30fb1b6f5431c12a38430d684ed1ff5a75
• 524aaf596dc12b1bb479cd69c620914fd4c3f9c9
• 541816260c71535cfebc743b9e2770a3a601acdf
• 558f1d400be521f8286b6a51f56d362d64278132
• 55f83ff166ab8978d6ce38e80fde858cf29e660b
• 580eca9e36dcd1a2deb9075bcae90afee46aace2
• 5a199a75411047903b7ba7851bf705ec545f6da9
• 5c5ec0b5112a74a95edc23ef093792eb3698320e
• 63aedcd38fe947404dda4fbaddb1da539d632417
• 6483ed51bd244c7b2cf97db62602b19c27fa3059
• 658db78c0ce62e08e86b51988a222b5fb5fbb913
• 6a43ada6a3741892b56b0ef38cdf48df1ace236d
• 6b7a4ccd5a411c03e3f1e86f86b273965991eb85
• 6db1151eeb4339fc72d6d094e2d6c2572de89470
• 7631f1db92e61504596790057ce674ee90570755
• 764add69922342b8c4200d64652fbee1376adf1c
• 7803f160af428bcfb4b9ea2aba07886f232cde4e
• 78d1c1e11ebae22849bccb3eb154ec986d992364
• 7ad1bef0ba61dbed98d76d4207676d08c893fc13
• 807c3db7385972a78b6d217a379dab67e68a3cf5
• 88b7ead7c0bf8b3d8a54b4a9c8871f44d1577ce7
• 8a2227cafa5713297313844344d6b6d9e0885093
• 8aa9f5d426428ec360229f4cb9f722388f0e535c
• 8ab7f806fa18dd9a9c2dc43db0ad3ee79060b6e8
• 8f4138e9588ef329b5cf5bc945dee4ad9fec1dff
• 9090de286ce9126e8e9c1c3a175a70ab4656ca09
• 91fd13a6b44e99f7235697ab5fe520d540279741
• 926046f0c727358d1a6fbdd6ff3e28bc67d5e2f6
• 9700c8a41a929449cfba6567a648e9c5e4a14e70
• 97c62e04b0ce401bd338224cdd58f5943f47c8de
• a2ed0eaaeadaa90d25f8b1da23033593bb76598e
• a421e0758f1007527fec4d72fa2668da340554c9
• a74eceea45207a6b46f461d436b73314b2065756
• a7819c06746ae8d1e5d5111b1ca711db0c8d923e
• a81b58b2171c6a728039dc493faaf2cab7d146a5
• b2a951c5b2613abdb9174678f43a579592b0abc9
• b54b3c67f1827dab4cc2b3de94ff0af4e5db3d4c
• b579845c223331fea9dfd674517fa4633082970e
• bbe24aa5e554002f8fd092fc5af7747931307a15
• c2b5aff3435a7241637f288fedef722541c4dad8
• c637a9c3fb08879e0f54230bd8dca81deb6e1bcf
• cbca642acdb9f6df1b3efef0af8e675e32bd71d1
• ccb29875222527af4e58b9dd8994c3c7ef617fd8
• cd7116fc6a5fa170690590e161c7589d502bd6a7
• d303a6ddd63ce993a8432f4daab5132732748843
• e60d36efd6b307bef4f18e31e7932a711106cd44
• e841ca216ce4ee9e967ffff9b059d31ccbf126bd
• ecd2feb0afd5614d7575598c63d9b0146a67ecaa
• ed14da9b9075bd3281967033c90886fd7d4f14e5
• ed328e83cda3cdf75ff68372d69bcbacfe2c9c5e
• f621ec1b363e13dd60474fcfab374b8570ede4de
• fbf290f6adad79ae9628ec6d5703e5ffb86cf8f1
fecdba1d903a51499a3953b4df1d850fbd5438bd
Exploit file SHA1 hashes
• 1e770f2a17664e7d7687c53860b1c0dc0da7157e
• 353540c6619f2bba2351babad736599811d3392e
• 412d488e88deef81225d15959f48479fc8d387b3
• 5295b09592d5a651ca3f748f0e6401bd48fe7bda
• 65681390d203871e9c21c68075dbf38944e782e8
• 74bc93107b1bbae2d98fca6d819c2f0bbe8c9f8a
• 8949c1d82dda5c2ead0a73b532c4b2e1fbb58a0e
• c671786abd87d214a28d136b6bafd4e33ee66951
• f1f1ace3906080cef52ca4948185b665d1d7b13e
![Page 40: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/40.jpg)
F-Secure Whitepaper, September 2015
40
MiniDuke
Malware SHA1 hashes
• 00852745cb40730dc333124549a768b471dff4bc
• 03661a5e2352a797233c23883b25bb652f03f205
• 045867051a6052d1d910abfcb24a7674bcc046ca
• 0d78d1690d2db2ee322ca11b82d79c758a901ebc
• 0e263d80c46d5a538115f71e077a6175168abc5c
• 103c37f6276059a5ff47117b7f638013ccffe407
• 118114446847ead7a2fe87ecb4943fdbdd2bbd1e
• 15c75472f160f082f6905d57a98de94c026e2c56
• 1ba5bcd62abcbff517a4adb2609f721dd7f609df
• 1e6b9414fce4277207aab2aa12e4f0842a23f9c1
• 223c7eb7b9dde08ee028bba6552409ee144db54a
• 28a43eac3be1b96c68a1e7463ae91367434a2ac4
• 296fd4c5b4bf8ea288f45b4801512d7dec7c497b
• 2a13ae3806de8e2c7adba6465c4b2a7bb347f0f5
• 2ceae0f5f3efe366ebded0a413e5ea264fbf2a33
• 2d74a4efaecd0d23afcad02118e00c08e17996ed
• 30b377e7dc2418607d8cf5d01ae1f925eab2f037
• 31ab6830f4e39c2c520ae55d4c4bffe0b347c947
• 36b969c1b3c46953077e4aabb75be8cc6aa6a327
• 416d1035168b99cc8ba7227d4c7c3c6bc1ce169a
• 43fa0d5a30b4cd72bb7e156c00c1611bb4f4bd0a
• 493d0660c9cf738be08209bfd56351d4cf075877
• 4b4841ca3f05879ca0dab0659b07fc93a780f9f1
• 4ec769c15a9e318d41fd4a1997ec13c029976fc2
• 53140342b8fe2dd7661fce0d0e88d909f55099db
• 5acaea49540635670036dc626503431b5a783b56
• 5b2c4da743798bde4158848a8a44094703e842cb
• 634a1649995309b9c7d163af627f7e39f42d5968
• 683104d28bd5c52c53d2e6c710a7bd19676c28b8
• 694fa03160d50865dce0c35227dc97ffa1acfa48
• 73366c1eb26b92886531586728be4975d56f7ca5
• 827de388e0feabd92fe7bd433138aa35142bd01a
• 909d369c42125e84e0650f7e1183abe740486f58
• 9796d22994ff4b4e838079d2e5613e7ac425dd1d
• a32817e9ff07bc69974221d9b7a9b980fa80b677
• a4e39298866b72e5399d5177f717c46861d8d3df
• a6c18fcbe6b25c370e1305d523b5de662172875b
• a9e529c7b04a99019dd31c3c0d7f576e1bbd0970
• ad9734b05973a0a0f1d34a32cd1936e66898c034
• b27f6174173e71dc154413a525baddf3d6dea1fd
• b8b116d11909a05428b7cb6dcce06113f4cc9e58
• c17ad20e3790ba674e3fe6f01b9c10270bf0f0e4
• c39d0b12bb1c25cf46a5ae6b197a59f8ea90caa0
• c6d3dac500de2f46e56611c13c589e037e4ca5e0
• cb3a83fc24c7b6b0b9d438fbf053276cceaacd2e
• cc3df7de75db8be4a0a30ede21f226122d2dfe87
• cd50170a70b9cc767aa4b21a150c136cb25fbd44
• cdcfac3e9d60aae54586b30fa5b99f180839deed
• d22d80da6f042c4da3392a69c713ee4d64be8bc8
• d81b0705d26390eb82188c03644786dd6f1a2a9e
• de8e9def2553f4d211cc0b34a3972d9814f156aa
• e4add0b118113b2627143c7ef1d5b1327de395f1
• e95e2c166be39a4d9cd671531b376b1a8ceb4a55
• edf74413a6e2763147184b5e1b8732537a854365
• efcb9be7bf162980187237bcb50f4da2d55430c2
• f62600984c5086f2da3d70bc1f5042cf464f928d
CozyDuke
Malware SHA1 hashes
• 01d3973e1bb46e2b75034736991c567862a11263
• 04aefbf1527536159d72d20dea907cbd080793e3
• 0e020c03fffabc6d20eca67f559c46b4939bb4f4
• 1e5f6a5624a9e5472d547b8aa54c6d146813f91d
• 207be5648c0a2e48be98dc4dc1d5d16944189219
• 23e20c523b9970686d913360d438c88e6067c157
• 25b6c73124f11f70474f2687ad1de407343ac025
• 32b0c8c46f8baaba0159967c5602f58dd73ebde9
• 446daabb7ac2b9f11dc1267fbd192628cc2bac19
• 482d1624f9450ca1c99926ceec2606260e7ce544
• 49fb759d133eeaab3fcc78cec64418e44ed649ab
• 5150174a4d5e5bb0bccc568e82dbb86406487510
• 543783df44459a3878ad00ecae47ff077f5efd7b
• 6b0721a9ced806076f84e828d9c65504a77d106c
• 6e00b86a2480abc6dbd971c0bf6495d81ed1b629
• 78e9960cc5819583fb98fb619b33bff7768ee861
• 7e9eb570ef07b793828c28ca3f84177e1ab76e14
• 8099a40b9ef478ee50c466eb65fe71b247fcf014
• 87668d14910c1e1bb8bbea0c6363f76e664dcd09
• 8b357ff017df3ed882b278d0dbbdf129235d123d
• 8c3ed0bbdc77aec299c77f666c21659840f5ce23
• 93d53be2c3e7961bc01e0bfa5065a2390305268c
• 93ee1c714fad9cc1bf2cba19f3de9d1e83c665e2
• 9b56155b82f14000f0ec027f29ff20e6ae5205c2
• b65aa8590a1bac52a85dbd1ea091fc586f6ab00a
• bdd2bae83c3bab9ba0c199492fe57e70c6425dd3
• bf265227f9a8e22ea1c0035ac4d2449ceed43e2b
• bf9d3a45273608caf90084c1157de2074322a230
• c3d8a548fa0525e1e55aa592e14303fc6964d28d
• c6472898e9085e563cd56baeb6b6e21928c5486d
• ccf83cd713e0f078697f9e842a06d624f8b9757e
• dea73f04e52917dc71cc4e9d7592b6317e09a054
• e0779ac6e5cc76e91fca71efeade2a5d7f099c80
• e76da232ec020d133530fdd52ffcc38b7c1d7662
• e78870f3807a89684085d605dcd57a06e7327125
• e99a03ebe3462d2399f1b819f48384f6714dcba1
• ea0cfe60a7b7168c42c0e86e15feb5b0c9674029
• eb851adfada7b40fc4f6c0ae348694500f878493
• f2ffc4e1d5faec0b7c03a233524bb78e44f0e50b
• f33c980d4b6aaab1dc401226ab452ce840ad4f40
• f7d47c38eca7ec68aa478c06b1ba983d9bf02e15
![Page 41: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/41.jpg)
F-Secure Whitepaper, September 2015
41
OnionDuke
Malware SHA1 hashes
• 073faad9c18dbe0e0285b2747eae0c629e56830c
• 145c5081037fad98fa72aa4d6dc6c193fdb1c127
• 16b632b4076a458b6e2087d64a42764d86b5b021
• 1e200fbb02dc4a51ea3ede0b6d1ff9004f07fe73
• 22bae6be13561cec758d25fa7adac89e67a1f33a
• 25e0af331b8e9fed64dc0df71a2687be348100e8
• 3bf6b0d49b8e594f8b59eec98942e1380e16dd22
• 42429d0c0cade08cfe4f72dcd77892b883e8a4bc
• 5ccff14ce7c1732fadfe74af95a912093007357f
• 61283ef203f4286f1d366a57e077b0a581be1659
• 6b3b42f584b6dc1e0a7b0e0c389f1fbe040968aa
• 6b631396013ddfd8c946772d3cd4919495298d40
• 7b3652f8d51bf74174e1e5364dbbf901a2ebcba1
• 7d17917cb8bc00b022a86bb7bab59e28c3453126
• 7d871a2d467474178893cd017e4e3e04e589c9a0
• 7efd300efed0a42c7d1f568e309c45b2b641f5c2
• 91cb047f28a15b558a9a4dff26df642b9001f8d7
• 9a277a63e41d32d9af3eddea1710056be0d42347
• a75995f94854dea8799650a2f4a97980b71199d2
• b3873d2c969d224b0fd17b5f886ea253ac1bfb5b
• b491c14d8cfb48636f6095b7b16555e9a575d57f
• c1ec762878a0eed8ebf47e122e87c79a5e3f7b44
• cce5b3a2965c500de8fa75e1429b8be5aa744e14
• d433f281cf56015941a1c2cb87066ca62ea1db37
• e09f283ade693ff89864f6ec9c2354091fbd186e
• e519198de4cc8bcb0644aa1ab6552b1d15c99a0e
• f2b4b1605360d7f4e0c47932e555b36707f287be
• f3dcbc016393497f681e12628ad9411c27e57d48
SeaDuke
Malware SHA1 hashes
• 3459d9c27c31c0e8b2ea5b21fdc200e784c7edf4
• aa7cf4f1269fa7bca784a18e5cecab962b901cc2
• bb71254fbd41855e8e70f05231ce77fee6f00388
HammerDuke
Malware SHA1 hashes
• 42e6da9a08802b5ce5d1f754d4567665637b47bc
CloudDuke
Malware SHA1 hashes
• 04299c0b549d4a46154e0a754dda2bc9e43dff76
• 10b31a17449705be20890ddd8ad97a2feb093674
• 2e27c59f0cf0dbf81466cc63d87d421b33843e87
• 2f53bfcd2016d506674d0a05852318f9e8188ee1
• 317bde14307d8777d613280546f47dd0ce54f95b
• 44403a3e51e337c1372b0becdab74313125452c7
• 47f26990d063c947debbde0e10bd267fb0f32719
• 4800d67ea326e6d037198abd3d95f4ed59449313
• 52d44e936388b77a0afdb21b099cf83ed6cbaa6f
• 6a3c2ad9919ad09ef6cdffc80940286814a0aa2c
• 7b8851f98f765038f275489c69a485e1bed4f82d
• 84ba6b6a0a3999c0932f35298948f149ee05bc02
• 910dfe45905b63c12c6f93193f5dc08f5b012bc3
• 9f5b46ee0591d3f942ccaa9c950a8bff94aa7a0f
• bfe26837da22f21451f0416aa9d241f98ff1c0f8
• c16529dbc2987be3ac628b9b413106e5749999ed
• cc15924d37e36060faa405e5fa8f6ca15a3cace2
• d7f7aef824265136ad077ae4f874d265ae45a6b0
• dea6e89e36cf5a4a216e324983cc0b8f6c58eaa8
• ed0cf362c0a9de96ce49c841aa55997b4777b326
• f54f4e46f5f933a96650ca5123a4c41e115a9f61
• f97c5e8d018207b1d546501fe2036adfbf774cfd
• fe33b9f95db53c0096ae9fb9672f9c7c32d22acf
![Page 42: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/42.jpg)
F-Secure Whitepaper, September 2015
42
Related IP addresses
• 128.199.138.233
• 151.236.23.31
• 173.236.70.212
• 176.74.216.14
• 178.21.172.157
• 178.63.149.142
• 184.154.184.83
• 188.116.32.164
• 188.241.115.41
• 188.40.13.99
• 195.43.94.104
• 199.231.188.109
• 212.76.128.149
• 46.246.120.178
• 46.246.120.178
• 5.45.66.134
• 50.7.192.146
• 64.18.143.66
• 66.29.115.55
• 69.59.28.57
• 82.146.47.163
• 82.146.51.22
• 83.149.74.73
• 85.17.143.149
• 87.118.106.55
• 87.255.77.36
• 88.150.208.207
• 91.221.66.242
• 91.224.141.235
• 94.242.199.88
• 96.9.182.37
Related domain names
• airtravelabroad.com
• beijingnewsblog.net
• deervalleyassociation.com
• greencastleadvantage.com
• grouptumbler.com
• juliet.usexy.cc
• leveldelta.com
• nasdaqblog.net
• natureinhome.com
• nestedmail.com
• nostressjob.com
• nytunion.com
• oilnewsblog.com
• overpict.com
• serials.hacked.jp
• sixsquare.net
• store.extremesportsevents.net
• ustradecomp.com Note: the listed IP addresses and domain names are provided for research purposes. While all of them have been associated with the Dukes at some point in time, they may or may not be currently in use by the Dukes.
F-Secure detection names
• Backdoor:W32/MiniDuke.A
• Trojan-Dropper:W32/MiniDuke.B
• Exploit:W32/MiniDuke.C
• Trojan-Dropper:W32/MiniDuke.D
• Backdoor:W32/MiniDuke.E
• Backdoor:W32/MiniDuke.F
• Backdoor:W32/MiniDuke.F
• Backdoor:W32/MiniDuke.H
• Backdoor:W32/MiniDuke.I
• Backdoor:W32/MiniDuke.J
• Trojan-Dropper:W32/CosmicDuke.A
• Trojan-PSW:W32/CosmicDuke.B
• Trojan:W32/CosmicDuke.C
• Exploit:W32/CosmicDuke.D
• Exploit:SWF/CosmicDuke.E
• Trojan-PSW:W32/CosmicDuke.F
• Trojan-Dropper:W32/CosmicDuke.G
• Trojan:W32/CosmicDuke.H
• Trojan:W32/CosmicDuke.I66.29.115.55
• Backdoor:W32/OnionDuke.A
• Trojan-Dropper:W32/OnionDuke.A
• Backdoor:W32/OnionDuke.B
• Trojan:W32/OnionDuke.C
• Trojan:W32/OnionDuke.D
• Trojan-PSW:W32/OnionDuke.E
• Trojan:W32/OnionDuke.F
• Trojan:W32/OnionDuke.G
• Trojan:W32/CozyDuke.A
• Trojan:W32/CozyDuke.B
• Trojan-Dropper:W32/CozyDuke.C
• Trojan:W32/CozyDuke.D
• Trojan:W64/CozyDuke.E
• Trojan-Downloader:W32/CloudDuke.A
• Trojan:W32/CloudDuke.B
• Trojan:W64/CloudDuke.B
• Backdoor:W32/SeaDuke.A
Note: F-Secure also detects various Duke malware components with other detections not specific to the Dukes.
![Page 43: THE DUKES 7 YEARS OF RUSSIAN CYBERESPIONAGE · 2020-03-26 · F-Secure Whitepaper, September 2015 3 EXECUTIVE SUMMARY The Dukes are a well-resourced, highly dedicated and organized](https://reader034.fdocuments.net/reader034/viewer/2022042111/5e8ce22f44b0364f030f15a4/html5/thumbnails/43.jpg)
ABOUT F-SECURE
Nobody has better visibility into real-life cyber attacks than F-Secure. We’re closing the gap between detection and response,
utilizing the unmatched threat intelligence of hundreds of our industry’s best technical consultants, millions of devices running
our award-winning software, and ceaseless innovations in artificial intelligence. Top banks, airlines, and enterprises trust our
commitment to beating the world’s most potent threats.
Together with our network of the top channel partners and over 200 service providers, we’re on a mission to make sure everyone has the enterprise-grade cyber security we all need. Founded in
1988, F-Secure is listed on the NASDAQ OMX Helsinki Ltd.
f-secure.com/business | twitter.com/fsecure | linkedin.com/f-secure